It's 10:00 PM. Do you know where your data is?
Is it nestled securely within the firewalls of your data center, or is it more adventurous, spanning the boundaries of various public clouds? Cloud adoption continues to grow at unprecedented rates, raising concerns about data privacy and also about data residency, especially for organizations considering Infrastructure as a Service (IaaS) in a public cloud.
I recently attended a presentation by a large cloud service provider (CSP), who proudly explained that they immediately make three copies of customer data, placing them in disparate data centers to ensure availability and disaster recovery. Because he was speaking to a room full of security people, it's safe to say the audience quickly became more concerned than comforted.
There is a complex web of regulations and policies that govern data privacy. The most frequently cited are the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS). European data protection laws often go even further, prohibiting any personally identifiable information from moving outside EU or country borders. This puts some obvious limits on unrestrained use of the public cloud.
Organizations are also concerned that law enforcement or government officials could potentially access data directly from their CSP, bypassing the company completely. As Gartner recently pointed out in their research note, ‘Five Cloud Data Residency Issues That Must Not Be Ignored,’
“Many countries have passed national laws to provide authorities with access to enterprise data; this may conflict with the legal protection rights of data in the originating jurisdiction, and may grant secret access to data via cloud service providers without the enterprise’s knowledge or permission.”
Yikes! No wonder companies are skittish about putting mission critical applications and data in the cloud.
CSPs and Software as a Service (SaaS) providers are starting to move in the right direction. Amazon recently announced the addition of more robust key management services for data encryption in AWS. SaaS providers like Salesforce.com are adopting and offering encryption and tokenization capabilities to customers with data residency and privacy concerns. Some CSPs even offer the ability to restrict the boundaries of your ‘cloud’ to ensure data doesn’t pass country borders.
These are all moves in the right direction. But let’s set aside the thousands of privacy and disclosure laws for a moment. The fundamental reason data privacy and data jurisdiction mandates exist is to prevent unauthorized access to sensitive information: whether it is that of an individual, a company, or even the government. And sadly, cyber criminals are getting smarter and more resourceful.
What We Should Do
So let’s take a step back from ‘what we have to do’ and focus on ‘what we should do’ from a data privacy perspective in the cloud.
1. You DO need a policy around cloud adoption. I talk with a lot of CSOs, and they are very aware of the attraction of the cloud, especially when internal equipment procurement can take weeks or even months. But many are still in the process of developing a formal cloud strategy. While many early cloud initiatives support pilot projects, R&D work, and QA testing, there is still potential for data theft or loss. Even some basic guidance to your company about vetted service providers, acceptable projects, and security policy can go a long way to reducing your exposure.
2. Consider encryption or tokenization. If you’re already going to the public cloud, or your organization needs to comply with data residency requirements, you want to make sure your data is secure. In fact, the Gartner research I mentioned above recommends encryption to help address data residency concerns, if the encryption solution allows for local key management, and prevents privileged users from having access.
3. Talk to your service provider. Data protection isn’t just about availability, and the innovative CSPs understand this. Make sure that you are signing up with a partner who takes your data privacy as seriously as you do. Ask questions that may not be part of the SLA: How many copies of your data are there? Where are they stored? How can you ensure that data is erased or unreadable in the event that you choose to decommission or change service providers?
As with any complicated legal scenario, it’s always a good idea to talk with your corporate lawyers to understand specific import/export laws and other privacy mandates that impact your organization. If you’ve already made a strategic move to the cloud, I’d love to hear how you tackled data security or residency.